<html>
<head><meta charset="utf-8"><title>cargo-audit · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html">cargo-audit</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="178039849"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178039849" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178039849">(Oct 13 2019 at 14:18)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> can you do an absicca release and then bump the absiscca and failure versions in cargo-audit? I think that'll reduce the number of copies of syn/quote/proc-macro2 that get compiled, which should help with build speed</p>



<a name="178039857"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178039857" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178039857">(Oct 13 2019 at 14:19)</a>:</h4>
<p>I'm happy to do the PRs for cargo-audit, but obviously I can't do an absicca release</p>



<a name="178039859"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178039859" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178039859">(Oct 13 2019 at 14:19)</a>:</h4>
<p>yeah I've been planning on it. there are a few other things I want to get in there</p>



<a name="178039867"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178039867" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178039867">(Oct 13 2019 at 14:19)</a>:</h4>
<p>just been updating all of my other pre-1.0 custom derive stuff</p>



<a name="178039932"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178039932" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178039932">(Oct 13 2019 at 14:21)</a>:</h4>
<p>Just realized we also need gumpdrop-derive, which doesn't have a release that uses the 1.0 family. Left a comment asking them for it.</p>



<a name="178040074"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178040074" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178040074">(Oct 13 2019 at 14:25)</a>:</h4>
<p>yeah that just got a PR to bump it</p>



<a name="178040114"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178040114" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178040114">(Oct 13 2019 at 14:26)</a>:</h4>
<p>which I've also been waiting on</p>



<a name="178040138"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178040138" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178040138">(Oct 13 2019 at 14:27)</a>:</h4>
<p>The PR was merged, so I left a comment asking about a release.</p>



<a name="178045350"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178045350" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178045350">(Oct 13 2019 at 16:50)</a>:</h4>
<p>gumdrop release out!</p>



<a name="178045880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178045880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178045880">(Oct 13 2019 at 17:04)</a>:</h4>
<p>woop</p>



<a name="178050092"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178050092" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178050092">(Oct 13 2019 at 18:52)</a>:</h4>
<p>ok, this gets rid of all of the pre-1.0 proc macro crates: <a href="https://github.com/iqlusioninc/abscissa/pull/141" target="_blank" title="https://github.com/iqlusioninc/abscissa/pull/141">https://github.com/iqlusioninc/abscissa/pull/141</a></p>



<a name="178051501"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178051501" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178051501">(Oct 13 2019 at 19:30)</a>:</h4>
<p><a href="/user_uploads/4715/U3PPpohurNZlinG-FbkMbEP4/Screenshot-2019-10-13-at-3.28.58-PM.png" target="_blank" title="Screenshot-2019-10-13-at-3.28.58-PM.png">Screenshot-2019-10-13-at-3.28.58-PM.png</a> </p>
<div class="message_inline_image"><a href="/user_uploads/4715/U3PPpohurNZlinG-FbkMbEP4/Screenshot-2019-10-13-at-3.28.58-PM.png" target="_blank" title="Screenshot-2019-10-13-at-3.28.58-PM.png"><img src="/user_uploads/4715/U3PPpohurNZlinG-FbkMbEP4/Screenshot-2019-10-13-at-3.28.58-PM.png"></a></div><p>I did a <code>cargo +nightly build -Z timings --release</code> on cargo-audit <code>master</code>. That's the build graph, filtered to only crates that took &gt;15 seconds to compile. It looks like getting down to only a single version of the proc macro crates will help a lot, but there's some other crates that still take a ton of time to compile.</p>



<a name="178051837"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178051837" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178051837">(Oct 13 2019 at 19:41)</a>:</h4>
<p>heh, wow @ <code>darling_core</code> taking longer than <code>serde_derive</code></p>



<a name="178051845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178051845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178051845">(Oct 13 2019 at 19:41)</a>:</h4>
<p>wonder why</p>



<a name="178051901"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178051901" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178051901">(Oct 13 2019 at 19:42)</a>:</h4>
<p>I feel like both of them are at 10x what I'd like :-)</p>



<a name="178052971"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178052971" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178052971">(Oct 13 2019 at 20:11)</a>:</h4>
<p><a href="https://github.com/RustSec/cargo-audit/pull/154" target="_blank" title="https://github.com/RustSec/cargo-audit/pull/154">https://github.com/RustSec/cargo-audit/pull/154</a></p>



<a name="178062188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/178062188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#178062188">(Oct 14 2019 at 00:38)</a>:</h4>
<p>ok, v0.10.0 is out w\ the upgrades <a href="https://crates.io/crates/cargo-audit" target="_blank" title="https://crates.io/crates/cargo-audit">https://crates.io/crates/cargo-audit</a></p>



<a name="179755498"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179755498" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179755498">(Nov 03 2019 at 17:27)</a>:</h4>
<p>At long last I've turned <a href="https://github.com/Shnatsel/rust-audit" target="_blank" title="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a> into an RFC against Cargo: <a href="https://github.com/rust-lang/rfcs/pull/2801" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2801">https://github.com/rust-lang/rfcs/pull/2801</a></p>



<a name="179756114"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179756114" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179756114">(Nov 03 2019 at 17:45)</a>:</h4>
<p>Cool! I left a few comments</p>



<a name="179756447"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179756447" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179756447">(Nov 03 2019 at 17:54)</a>:</h4>
<p>Great comments, thanks a lot!</p>



<a name="179756460"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179756460" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179756460">(Nov 03 2019 at 17:54)</a>:</h4>
<p>Hmm, I wonder if I can abuse my access at Google to get Go developers to chime in on what has and hasn't worked for them with this metadata</p>



<a name="179757293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179757293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179757293">(Nov 03 2019 at 18:14)</a>:</h4>
<p>awesome</p>



<a name="179760856"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179760856" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179760856">(Nov 03 2019 at 19:55)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> when I was at Square we had a tool like this for Ruby applications. It found all Gemfile.lock files on production servers/containers, audited them against RubySec, and then auto-filed VULN tickets against the app owners</p>



<a name="179760915"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179760915" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179760915">(Nov 03 2019 at 19:56)</a>:</h4>
<p>tickets also auto-closed when the apps were updated</p>



<a name="179761046"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179761046" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179761046">(Nov 03 2019 at 19:59)</a>:</h4>
<p>I am not familiar with the Ruby software distribution model. Is that file necessary to run the program?</p>



<a name="179761147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179761147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179761147">(Nov 03 2019 at 20:01)</a>:</h4>
<p>it's the most common way of managing Ruby apps. not completely necessary but definitely the most popular</p>



<a name="179761209"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179761209" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179761209">(Nov 03 2019 at 20:02)</a>:</h4>
<p>So it was a distinct file you had to ship, but it was typical for it to be shipped. Cool! Could you add this as a comment on the PR?</p>



<a name="179761242"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179761242" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179761242">(Nov 03 2019 at 20:03)</a>:</h4>
<p>If Go had a vuln db, and I had a lot more free time, I'd probably write something at $work that scanned docker images for binaries with embedded go.mod info, did a vuln check on them, and then filed tickets if either a) that image was :latest, or b) there was anything in the container orchestration system using that image.</p>



<a name="179761434"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179761434" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179761434">(Nov 03 2019 at 20:08)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> yeah sure. you can imagine it sort of like a runtime Cargo.lock</p>



<a name="179767129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767129">(Nov 03 2019 at 22:54)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> could you chime in on the reproducible builds angle in <a href="https://github.com/rust-lang/rfcs/pull/2801" target="_blank" title="https://github.com/rust-lang/rfcs/pull/2801">https://github.com/rust-lang/rfcs/pull/2801</a> ?</p>



<a name="179767158"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767158" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767158">(Nov 03 2019 at 22:55)</a>:</h4>
<p><code>Cargo.lock</code> should be deterministic for a given toolchain and index state, I think...</p>



<a name="179767207"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767207" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767207">(Nov 03 2019 at 22:56)</a>:</h4>
<p>I'm playing around with trying to make a reproducible build tool based on Rustwide</p>



<a name="179767208"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767208" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767208">(Nov 03 2019 at 22:56)</a>:</h4>
<p>Eh, I don't think I can vouch for Cargo.lock having stable sort order</p>



<a name="179767225"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767225" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767225">(Nov 03 2019 at 22:57)</a>:</h4>
<p>For reproducible builds this seems to be both a blessing (the info is right there in the binary) and a curse (the info itself is hard to make reproducible) - and there are concerns around the crate coming from one registry or another and that evaluating to different metadata</p>



<a name="179767229"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767229" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767229">(Nov 03 2019 at 22:57)</a>:</h4>
<p>I mean, if anything...</p>



<a name="179767230"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767230" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767230">(Nov 03 2019 at 22:57)</a>:</h4>
<p>reproducing a build needs Cargo.lock</p>



<a name="179767231"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767231" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767231">(Nov 03 2019 at 22:57)</a>:</h4>
<p>you can't reproduce a build without it</p>



<a name="179767271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767271">(Nov 03 2019 at 22:58)</a>:</h4>
<p>as an input</p>



<a name="179767277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767277">(Nov 03 2019 at 22:58)</a>:</h4>
<p>so if anything it's a helpful forensic artifact for reproducing builds! <span aria-label="smiley" class="emoji emoji-1f603" role="img" title="smiley">:smiley:</span></p>



<a name="179767346"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767346" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767346">(Nov 03 2019 at 23:00)</a>:</h4>
<p>Some are calling for including <code>(crate-name, version, hash)</code> only without the source URL of any kind. Do you think including registry URL or git repo url is helpful, or hinders reproducibility?</p>



<a name="179767428"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767428" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767428">(Nov 03 2019 at 23:03)</a>:</h4>
<p>the git repo stuff should allow you to reproduce the build still, if you have access to the repo and the relevant commits are still there</p>



<a name="179767449"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767449" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767449">(Nov 03 2019 at 23:04)</a>:</h4>
<p><code>Cargo.lock</code> encodes all of the commit hashes for each package</p>



<a name="179767487"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767487" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767487">(Nov 03 2019 at 23:04)</a>:</h4>
<p>I guess this is about commit hash only vs repo url as well</p>



<a name="179767503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767503">(Nov 03 2019 at 23:05)</a>:</h4>
<p>I think they might be a bit... entangled</p>



<a name="179767615"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767615" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767615">(Nov 03 2019 at 23:08)</a>:</h4>
<p>uuh, repo url is not included in the hash</p>



<a name="179767703"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767703" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767703">(Nov 03 2019 at 23:10)</a>:</h4>
<p>here's an example:</p>



<a name="179767704"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767704" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767704">(Nov 03 2019 at 23:10)</a>:</h4>
<div class="codehilite"><pre><span></span>[[package]]
name = &quot;libra-config&quot;
version = &quot;0.1.0&quot;
source = &quot;git+https://github.com/libra/libra.git?rev=66734424#667344248287a1647f42a793e92414853a5fa335&quot;
</pre></div>



<a name="179767720"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767720" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767720">(Nov 03 2019 at 23:11)</a>:</h4>
<p>also trying to redact Cargo.lock all gets very tricky with v1 vs v2, heh</p>



<a name="179767839"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767839" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767839">(Nov 03 2019 at 23:14)</a>:</h4>
<p>What's v1 vs v2?</p>



<a name="179767913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767913">(Nov 03 2019 at 23:16)</a>:</h4>
<p>Darn, embedding paths is getting really thorny really quickly. Maybe I should just make it an optional, off-by default thing. This way enterprise can enforce it and use it, and everybody else enjoys no-info-leaks.</p>



<a name="179767990"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179767990" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179767990">(Nov 03 2019 at 23:19)</a>:</h4>
<p><a href="https://github.com/rust-lang/cargo/pull/7070" target="_blank" title="https://github.com/rust-lang/cargo/pull/7070">https://github.com/rust-lang/cargo/pull/7070</a></p>



<a name="179768036"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179768036" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179768036">(Nov 03 2019 at 23:20)</a>:</h4>
<p>shipped in 1.38 I think?</p>



<a name="179851002"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit/near/179851002" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.html#179851002">(Nov 04 2019 at 16:50)</a>:</h4>
<p>OIC. Thanks for the input on the thread!<br>
We got a response from a Rust team member too, encouraging on the basic direction but with a lot of valid points about the weaknesses of the current proposal. <br>
They all seem to be actionable, so I'll try to iterate on the RFC and request another round of review. Any help is appreciated, just brainstorming solutions for those points would be great.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>